Yubico PIV Management Tools Active Directory Smart Card Logon using the YubiKey NEO or NEO-n Document Version 1.0 April 15, 2015 Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 1 of 24
About Yubico Disclaimer As the inventors of the YubiKey, Yubico sets new world standards for secure login across the Internet. Our unique USB and NFC key offers one-touch strong authentication supporting multiple authentication protocols for all devices and platforms - with no driver or client software needed. With successful enterprise deployments in 140 countries, including 7 of the top 10 Internet companies, Yubico is adding the consumer market to its list of strong authentication converts. Founded in 2007, Yubico is privately held with offices in Palo Alto, Calif., Stockholm, and London. For more information visit yubico.com The contents of this document are subject to revision without notice due to continued progress in methodology, design, and manufacturing. Yubico shall have no liability for any error or damages of any kind resulting from the use of this document. The Yubico Software referenced in this document is licensed to you under the terms and conditions accompanying the software or as otherwise agreed between you or the company that you are representing. Trademarks Yubico and YubiKey are trademarks of Yubico Inc. Contact Information Yubico Inc 459 Hamilton Avenue, Suite 304 Palo Alto, CA 94301 USA yubi.co/contact Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 2 of 24
Contents About Yubico... 2 Disclaimer... 2 Trademarks... 2 Contact Information... 2 1 Introduction... 4 1.1 Dependencies... 4 1.2 Preparing the YubiKey NEO for use with the Yubico PIV Management Tools... 5 2 YubiKey PIV Manager Graphical User Interface (GUI)... 7 2.1 Downloading and Installing the YubiKey PIV Manager... 7 2.2 First Use Setting a PIN... 9 2.3 Requesting a Certificate for Smart Card Logon from a Windows Certification Authority... 11 2.4 Importing an existing smart card logon certificate to the YubiKey NEO... 13 2.5 Changing the PIN... 14 2.6 Resetting the PIV Applet When It has been Blocked... 15 3 Yubico PIV Tool Command Line Interface (CLI)... 17 3.1 Downloading and running the Yubico PIV Tool... 17 3.2 Changing the PIN / PUK codes... 17 3.3 Changing the Management Key... 18 3.4 Requesting a Certificate for Smart Card Logon from a Windows Certification Authority... 18 3.5 Importing an existing smart card logon certificate to the YubiKey NEO... 20 3.6 Resetting the Yubico PIV Applet When It has been Blocked... 20 4 APPENDIX A: Group Policy Settings for Domain Administrators... 22 5 APPENDIX B: Filling in the Subject field when requesting a certificate from the CA - Determining a User s Distinguished Name in Active Directory... 24 Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 3 of 24
1 Introduction The YubiKey NEO and NEO-n support the Personal Identity and Verification Card (PIV) interface specified in the NIST SP 800-73 document "Cryptographic Algorithms and Key Sizes for PIV". This enables you to perform RSA or ECC sign/decrypt operations using a private key stored on the smart card, through common interfaces like PKCS#11. Yubico has developed the YubiKey PIV Manager and the Yubico PIV Tool (referred to collectively as Yubico PIV Management Tools ) which, when used in conjunction with the YubiKey NEO or YubiKey NEO-n, can request and import certificates to log into Microsoft Windows Active Directory domain environments. The structure of the YubiKey NEO as a PIV card follows the specifications defined in NIST SP 800-73. PIV can also be used for document signing, encryption, and physical access. There are four PIV slots on the YubiKey NEO, each one reserved for a specific purpose defined by the NIST specifications: 9a is for PIV Authentication 9c is for Digital Signature 9d is for Key Management 9e is for Card Authentication Utilization of slots 9c (document signing), 9d (encryption), and 9e (physical access) are not covered in this document, which is intended for use of slot 9a only (smart card authentication). To read more about the PIV specifications, visit the following NIST webpage: http://csrc.nist.gov/groups/sns/piv/standards.html This document covers both the YubiKey PIV Manager (Graphical User Interface, or GUI ) and the Yubico PIV Tool (Command Line Interface, or CLI ). In general, the YubiKey PIV Manager is intended for users of any technical skill level, while the Yubico PIV Tool is intended for advanced users only. If a YubiKey NEO or YubiKey NEO-n is initially configured using the Yubico PIV Tool, we do not recommend using the YubiKey PIV Manager unless the default Management Key has been changed through the Yubico PIV Tool. When a YubiKey NEO or YubiKey NEO-n is plugged in and used with the YubiKey PIV Manager, if the Management Key is still default, the YubiKey PIV Manager also assumes the PIN and PUK are both default. When trying to initialize the YubiKey NEO in this case with the YubiKey PIV Manager, initialization will fail and the applet will have to be reset using the Yubico PIV Tool. When the YubiKey NEO or YubiKey NEO-n are referenced in this document, you will simply see YubiKey NEO. Please note that the behavior will be identical when using a YubiKey NEO-n. 1.1 Dependencies This document covers preparing the YubiKey NEO to be used with the Yubico PIV Management Tools, and using the YubiKey PIV Manager or Yubico PIV Tool to set and change PIN/PUK codes, change the default Management Key, request and load certificates from a Windows Certification Authority, and reset the applet in the case of locking out the device (three consecutive PIN or PUK entries will result in locking the applet). Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 4 of 24
There are several dependencies required for the Yubico PIV Management Tools to properly prepare a YubiKey NEO for smart card logon to a domain environment. The dependencies are outside the scope of this document, and include: 1) Setting up a Windows Certification Authority (CA) 2) Configuring an Active Directory domain 3) Creating a Smart Card Logon template within the CA 4) Creating an Enrollment Agent (if intending to load previously-generated certificates rather than requesting them through the Yubico PIV Management Tools) 1.2 Preparing the YubiKey NEO for use with the Yubico PIV Management Tools Before the YubiKey NEO can be used with the Yubico PIV Management Tools, CCID mode must be enabled using the YubiKey NEO Manager. The newest version of the YubiKey NEO Manager can be downloaded here: YubiKey NEO Manager for Windows: http://yubi.co/neomgrwin YubiKey NEO Manager for Mac OS X: http://yubi.co/neomgrmac YubiKey NEO Manager for Linux: http://yubi.co/neomrglux For full release history, visit https://developers.yubico.com/yubikey-neo-manager/releases/ Once installed, open the YubiKey NEO Manager. YubiKey NEO devices currently sold are shipped with U2F and OTP mode enabled, while CCID mode is disabled: As you can see in the image above, the Change connection mode button shows OTP and U2F in brackets. To enable CCID mode, click Change connection mode. You will see the following window: Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 5 of 24
Click on CCID and then click OK. You will be prompted to remove your YubiKey NEO. Remove and re-insert your YubiKey NEO. You can confirm that CCID is enabled by verifying the Change connection mode button now shows CCID. You will also notice that the installed CCID applets are now listed on the left side of the window: Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 6 of 24
2 YubiKey PIV Manager Graphical User Interface (GUI) The YubiKey PIV Manager was designed to meet the needs of most users. The interface can be used to set/change PINs and PUKs, request certificates from a Certification Authority, delete certificates, import certificates, and reset the PIV applet in cases where the PIN is incorrectly entered three consecutive times (this locks the applet and can only be remedied by resetting the applet). Domain administrators also have additional options through Group Policy that allow them to customize the user experience with the YubiKey PIV Manager. Complexity requirements and PIN expirations can be forced, options can be removed from the YubiKey PIV Manager, etc. For a full list of Group Policy options, see Appendix A at the end of this document. NOTE: The YubiKey PIV Manager is intended to be distributed to users in a domain environment. A proper connection to the Certification Authority must be established prior to running the YubiKey PIV Manager. 2.1 Downloading and Installing the YubiKey PIV Manager In order to request certificates from a Windows Certification Authority, the computer you install the YubiKey PIV Manager on must have an active connection to the CA. There are a few options to implement this: You can run the application from a laptop or desktop computer that is joined to the domain. It must have an active connection to the domain controller (either connected on the local network, or connected over VPN). You can run the application over RDP to any Windows computer that has an active connection to the domain. The source and destination computers must both be running the Windows Operating System. Using this method, you would plug the YubiKey NEO into your local Windows computer, use the Windows Remote Desktop Application (mstsc.exe) to connect to a domain-joined computer, and run the YubiKey PIV Manager on the domainjoined computer to request and load the certificate. 1. Download the YubiKey PIV Manager can be downloaded from the following location: YubiKey PIV Manager for Windows: http://yubi.co/yubipivwin YubiKey PIV Manager for Mac OS X: http://yubi.co/yubipivmac YubiKey PIV Manager for Linux: http://yubi.co/yubipivlux For full release history, visit https://developers.yubico.com/yubikey-piv-manager/releases/ 2. Once downloaded, double-click on the file to open the installation wizard: Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 7 of 24
3. Click Next to begin the installation process. 4. We recommend retaining the default location, but if you prefer to install in another folder, specify that location by clicking Browse and selecting a new location. Click Next to continue. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 8 of 24
5. By default, a Start Menu folder is created that links to the application. If you do not want a Start Menu folder to be created, click the checkbox next to Do not create shortcuts. Click Install to continue. The application will now install. 6. Click Finish to close the installation wizard. You can now open the YubiKey PIV Manager. 2.2 First Use Setting a PIN The first time you open the YubiKey PIV Manager, assuming you have a YubiKey NEO that hasn t been previously set up with PIV, you will see the following window: Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 9 of 24
NOTE FOR ADMINISTRATORS: During device initialization, a new Management Key is set. By default, the Tool cryptographically processes the PIN set on this screen to generate a management key, and the user cannot determine the Management Key after this point. This also means that neither you nor the user will be able to modify the state of the applet, either through the YubiKey PIV Manager or the Yubico PIV Tool. For this reason, we recommend setting strong PIN complexity requirements at the Group Policy level. If you choose not to follow this recommendation, or if you decide you need to know the Management Key, you can select the option Use a separate key. This displays a window allowing you to either manually set a new Management Key (must be exactly 48 alphanumeric characters), or you can use the built-in tool to generate a random Management Key, then store the value in a safe place. You can read more about this here: https://developers.yubico.com/yubikey-piv-manager/pin_and_management_key.html Here, you will need to set up a new PIN. The PIN is essentially a password, and will need to be entered when you are requesting certificates, logging into the domain using your YubiKey NEO, etc. Unless your Administrator has specified otherwise, the PIN must be 4-8 characters in length and can contain capital and lowercase letters, numbers, and special characters (!, @, #, etc.). You also have the option here to set the Management Key. Leave the default setting (use PIN as key) unless instructed by your Administrator. Enter a new PIN, confirm the new PIN, and then click OK. Now that the PIN is set, you can continue to requesting a certificate from the Windows Certification Authority, or importing an existing Smart Card Logon certificate. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 10 of 24
2.3 Requesting a Certificate for Smart Card Logon from a Windows Certification Authority Now that you ve set up a PIN, you can request a certificate from the Certification Authority. 1. Click Certificates to get started: 2. To request a certificate from the Windows Certification Authority, click Generate new key. 3. Under Output, ensure Request a certificate from a Windows CA is selected. Depending on your organization, the Certificate Template field may already be filled in. If not, manually enter the name of the smart card logon certificate provided by your Administrator. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 11 of 24
The Subject field should automatically be populated here, but if it s blank, we recommend filling it in. Your Administrator should be able to provide this value for you. If assistance is needed, your Administrator may need to refer to Appendix B at the end of this document. 4. Click OK to continue the request. 5. You are prompted to confirm your PIN. Enter your PIN, and then click OK. The YubiKey PIV Manager is now requesting the specified certificate from the Certification Authority. Once it has located the Certification Authority, you are asked to confirm it: 6. Click OK to continue. When the certificate has been successfully imported, you will receive a confirmation dialog. 7. Click OK to acknowledge the message. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 12 of 24
You can now exit the YubiKey PIV Manager. We recommend removing the YubiKey NEO and then plugging it back in. You can test the login (either logging into your domain account, or connecting over RDP) to verify the certificate is working properly. 2.4 Importing an existing smart card logon certificate to the YubiKey NEO In certain cases, you may already have a certificate for smart card logon that just needs to be imported to the YubiKey NEO. If so, open the YubiKey PIV Manager: 1. From the home screen (shown above), click Certificates. 2. To import an existing certificate, click Import from file. You will receive a warning that anything currently stored in slot 9a will be overwritten by importing the certificate. 3. Click OK to acknowledge the warning. 4. Browse to the certificate file you want to import, and then click Open. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 13 of 24
You will be asked to confirm the password that was set on the certificate. NOTE: Whomever created the certificate was prompted to enter a password to protect the certificate. You must enter the password they provided you here. This field is not to confirm your PIN set previously. 5. Enter the password provided by your Administrator and then click OK. You will receive a confirmation message that your certificate was successfully imported. 6. Click OK to acknowledge the message. It is recommended that you remove the YubiKey NEO and re-insert it before testing smart card logon. 2.5 Changing the PIN You can change the PIN on the PIV applet at any time through the YubiKey PIV Manager. 1. From the home screen, click Manage device PINs. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 14 of 24
2. To change the PIN, click Change PIN. 3. Enter the current PIN, and then enter a new PIN in the New PIN and Repeat new PIN fields, and then click OK. If the current PIN is entered correctly and the new PIN both matches and meets the complexity requirements, you will see the following window: 4. Click OK to confirm and exit. 2.6 Resetting the PIV Applet When It has been Blocked If an incorrect PIN code is entered three consecutive times without entering the correct PIN code, the applet is locked out. Once this happens, any certificates that have been loaded can no longer be accessed. You will not be able to make any changes or use the PIV applet until the applet has been reset. If you find yourself in this situation, the home screen will appear as follows: Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 15 of 24
1. To continue, you need to reset the PIV applet. To do this, click Manage device PINs. 2. Click Reset device. 3. Click OK to confirm resetting the applet. 4. Click OK to confirm. You will be returned to the home screen. After a few moments, you are prompted to reinitialize the device and set a new PIN. Return to Section 2.2 for instructions on completing this process. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 16 of 24
3 Yubico PIV Tool Command Line Interface (CLI) The Yubico PIV Tool is a CLI that was designed for advanced users that prefer using a command line interface over a graphical user interface. The CLI provides a more comprehensive set of options for the Yubico PIV applet. You can run the following command for a full list of supported commands: yubico-piv-tool full-help 3.1 Downloading and running the Yubico PIV Tool Download the Yubico PIV Tool from the following website. There are Windows, Mac, and Linux versions: http://yubi.co/yubipivtool Once downloaded, extract the contents of the folder, and then copy the folder to an easily accessible location. For our example, we have extracted the folder to the root of the C drive. Then, open Command Prompt, and browse to the Yubico PIV Tool bin directory: 3.2 Changing the PIN / PUK codes By default, the PIN code on the PIV applet is 123456, while the PUK code is 12345678. To reset the PIN code, run the following command: yubico-piv-tool -a change-pin -P [old PIN] -N [new PIN] For example: Changing PIN from default 123456 to Password5 : yubico-piv-tool -a change-pin -P 123456 -N Password5 To reset the PUK code, run the following command: Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 17 of 24
yubico-piv-tool -a change-puk -P [old PUK] -N [new PUK] For example: Changing PUK from the default 12345678 to Wizard8 : yubico-piv-tool -a change-puk -P 12345678 -N Wizard8 3.3 Changing the Management Key It is recommended that you change the Management Key. By default, the management key (slot 9b) is 010203040506070801020304050607080102030405060708. To change the management key, enter the following command: yubico-piv-tool -a set-mgm-key -n [48-digit alphanumeric] For example: yubico-piv-tool -a set-mgm-key -n 323952132926047123902817012802918722530631548110 It is highly recommended that you store a copy of the new Management Key in a safe place for future use. Once you ve successfully changed the Management Key to something other than the default, the command is a little bit different if you need to change it again, as you will first need to confirm the current Management Key: yubico-piv-tool k [current management key] -a set-mgm-key -n [new management key] For example: Continuing with our initial sample change listed above, we will now change the Management Key back to default with the following command: yubico-piv-tool k 323952132926047123902817012802918722530631548110 -a set-mgm-key -n 010203040506070801020304050607080102030405060708 3.4 Requesting a Certificate for Smart Card Logon from a Windows Certification Authority 1. In order to request a certificate for smart card logon from a Windows Certification Authority, you must first generate a new private key to be stored in slot 9a: yubico-piv-tool -s 9a -a generate -o public.pem Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 18 of 24
2. Once the private key is successfully generated, you will need to generate a certificate request for the Windows Certification Authority: yubico-piv-tool -a verify-pin -P [PIN] -s 9a -a request-certificate -S "/CN=example /O=test/" -i public.pem -o request.csr For example: Generating a certificate for myself (Chris), current PIN is Password5, user account name is Chris, Organizational Unit is IT, and domain is lab.yubilab.local: yubico-piv-tool -a verify-pin -P Password5 -s 9a -a request-certificate -S "/CN=Chr is/ou=it/dc=lab/dc=yubilab/dc=local/" -i public.pem -o request.csr 3. Once the certificate request is successfully generated, you will need to submit the request to the Windows Certification Authority: yubico-piv-tool -a verify-pin -P [PIN] -s 9a -a request-certificate 4. Now that the certificate request has been generated, you need to send the request to the Certification Authority: certreq -submit -attrib "CertificateTemplate:[certificate template name]" request.c sr cert.crt For example: The certificate template my company created that is used for smart card logon is named User2 : certreq -submit -attrib "CertificateTemplate:User2" request.csr cert.crt 5. Once the command is able to communicate with the Certification Authority, you will be prompted to confirm the CA is correct. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 19 of 24
6. Click OK to confirm the correct Certification Authority has been queried. If a dialog box is displayed asking you to confirm that you want to overwrite the contents of slot 9a, confirm. 7. To import the certificate to slot 9a of the YubiKey NEO: yubico-piv-tool -s 9a -a import-certificate -i cert.crt You should receive the successfully imported a new certificate confirmation message. 8. The final step requires setting a CHUID, which is necessary for the certificate to be usable in Windows: yubico-piv-tool -a set-chuid You will receive the confirmation message Successfully set a new CHUID. You can now close out of Command Prompt (if you want). Prior to attempting to use the YubiKey NEO for smart card logon, it is recommended you remove the device, and then plug it back into your computer. 3.5 Importing an existing smart card logon certificate to the YubiKey NEO In certain cases, you may already have a certificate for smart card logon that just needs to be imported to the YubiKey NEO. If so, you will need to run the following command: yubico-piv-tool --slot 9a --input=[certificate file path] --password=[certificate p assword] --key-format=pkcs12 --action=set-chuid --action=import-key --action=import -certificate v2 For example: My certificate, named Chris.pfx, is located in the root of the C drive, and the password set on the certificate by my administrator is Password5 : yubico-piv-tool --slot 9a --input=c:\chris.pfx --password=password5 --key-format=pk CS12 --action=set-chuid --action=import-key --action=import-certificate -v2 You should receive a confirmation that the certificate has been imported successfully, and the YubiKey NEO should be ready for smart card logon. Remove and reinsert your device before proceeding with testing. 3.6 Resetting the Yubico PIV Applet When It has been Blocked If an incorrect PIN or PUK code is entered three consecutive times without entering the correct PIN/PUK code, the device is locked out. Once this happens, any certificates that have been loaded can no longer be accessed. You will not be able to make any changes or use the PIV applet until the applet has been reset to default. If you find yourself in this situation, you need to make sure the PIN and PUK are blocked, and then you need to reset the applet: 1. If the PUK is blocked, you then need to lock out the PIN, which involves entering the PIN incorrectly three times: Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 20 of 24
yubico-piv-tool -a verify-pin -P 4711 In the example above, we chose a PIN that meets the default complexity requirements (at least four characters), and entered in a random PIN that is different from our current PIN. If the process was successful, you ll receive the following message from the Yubico PIV Tool CLI: Pin code blocked, use unblock-pin action to unblock. 2. If the PIN is blocked but not the PUK, you then need to lock out the PUK, which involves entering the PUK incorrectly three times: yubico-piv-tool -a change-puk P 4711 N 67567 In the example above, since there is no verify-puk command, we attempt to change the PUK by providing an incorrect PUK. We are required to enter the new PUK for the command, but the value does not matter. If the process was successful, you ll receive the following message: The puk code is blocked, you will have to reinitialize the applet. 3. For the final step, you use the reset applet command: yubico-piv-tool -a reset You will receive the following confirmation message: Successfully reset the applet. The PIV applet has been returned to the default state, where the PIN is 123456 and the PUK is 12345678. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 21 of 24
4 APPENDIX A: Group Policy Settings for Domain Administrators Group Policy settings are stored in the Windows Registry, under: Computer\HKEY_CURRENT_USER\Software\Yubico\YubiKey PIV Manager - or - Computer\HKEY_LOCAL_MACHINE\Software\Yubico\YubiKey PIV Manager Available Settings: Algorithm Description: Which algorithm to use for key pair generation. Key: algorithm Type: string Registry key type: REG_SZ Valid options: RSA1024, RSA2048, ECC256 Default value: RSA2048 Card Reader Description: String to match against when looking for compatible YubiKey devices. Key: card_reader Type: string Registry key type: REG_SZ Valid options: [not restricted] Default value: [none] Certreq Template Description: Value to use in CertificateTemplate parameter when calling certreq.exe. Key: certreq_template Type: string Registry key type: REG_SZ Valid options: [not restricted] Default value: [none] Complex PIN/PUKs Description: True to require complex PIN and PUK requirements, or False to maintain default complexity requirements. Key: complex_pins Type: string Registry key type: REG_SZ Valid options: True, False Default value: False Enable Import Description: When False, hide the Import from file button on the Certificates window. Key: enable_import Type: string Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 22 of 24
Registry key type: REG_SZ Valid options: True, False Default value: True PIN as Management Key Description: When True, the Management Key is based off of the PIN. Key: pin_as_key Type: bool Registry key type: REG_SZ Valid options: True, False Default value: False PIN Expiration Description: When entering a non-zero value, a timestamp is written when the PIN is changed, and the user is forced to change the PIN after the specified number of days. Zero value = no PIN expiration. Key: pin_expiration Type: int Registry key type: REG_DWORD Valid options: 0 or greater Default value: 0 Displayed Output Formats Description: Output formats available when generating a key. Key: shown_outs Type: list of strings Registry key type: REG_MULTI_SZ Valid options: PK, SSC, CSR, CA Default value: SSC, CSR, CA Displayed Certificate Slots Description: A list of which certificate slots to show in the YubiKey PIV Manager. Key: shown_slots Type: list of strings Registry key type: REG_MULTI_SZ Valid options: 9a, 9c, 9d, 9e Default value: 9a, 9c, 9d, 9e Subject Distinguished Name (DN) Description: Subject to use when generating a CSR or self-signed certificate. Key: subject Type: string Registry key type: REG_SZ Valid options: [not restricted] Default value: /CN=%USERNAME% Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 23 of 24
5 APPENDIX B: Filling in the Subject field when requesting a certificate from the CA - Determining a User s Distinguished Name in Active Directory The YubiKey PIV Manager should be able to properly query the current user s Distinguished Name in Active Directory. This is required for properly requesting the Smart Card Logon certificate with the YubiKey PIV Manager. This value needs to be in the Subject field of the Generate new key window. If you do not know what the value is, you will need to run a query from Command Prompt on the Active Directory server. Note: This command cannot be run from a domain-joined computer. You must run the command from the Windows Server where Active Directory is installed for your domain. 1. Open a new Command Prompt window (Windows + R, type cmd, and press Enter) 2. Type in the following command: dsquery user name [CN] Note: CN is the Common Name of your Active Directory User. This command should return a result similar to the following: CN=[USERNAME],OU=[COMPANY],DC=[DOMAIN NAME] Consider the example below for a more detailed explanation of the process: For example: I m trying to determine the Distinguished name for user Joe Smith, but I m not sure wh at his common name (CN) is. I run the following command in command prompt: dsquery user name Joe* Active Directory will return the Distinguished Name for all CN s beginning with Joe. In our small test domain, we only have one Joe, so we receive the following response: CN=joe.smith,OU=Yubico,DC=yubilab,DC=local Now, if I want Joe to request a Smart Card Logon certificate, I ll instruct him to insert the following text into the Subject field on the Generate new key window: /CN=joe.smith/OU=Yubico/DC=yubilab/DC=local/ The simple command dsquery user will return a list of Distinguished Names for ALL users in your Active Directory environment. Yubico PIV Management Tools 2015 Yubico. All rights reserved. Page 24 of 24